Check your security release

Before we highlight what’s included with the August 2016 Android Security Bulletin, it’s always good to know what security release your device has installed. Of the Android devices I use regularly, the Verizon-branded Nexus 6 running Android 7.0 has the July 2016 security update, and the Nextbit Robin running Android 6.0.1 has the June 2016 security update. So clearly the August 2016 update has yet to hit even some of the Nexus devices (it’s supposed to hit those devices first). Hold on…it’s coming.

To find out which security release is installed on your device, open Settings, scroll down and tap About Phone, and then look for Android Security Patch Level (Figure A). If you see an older security patch level, fret not…a new one will appear in an update soon.

Remote code execution vulnerability in Mediaserver

Naturally, our first point of entry is the most popular vulnerable system in the Android Security Bulletin: the Mediaserver. There are three bugs affecting this particular system, each of which allow a remote code execution that could enable an attacker, using a specifically crafted file, to cause memory corruption during media file and data processing. These three bugs are tagged Critical because of the possibility they could set off remote code execution within the Mediaserver process (a subsystem that has access to audio and video streams and has access to privileges that third-party apps would not normally be able to access).

Related bugs are:

High issues

Remote code execution vulnerability in libjhead

New to the Android Security Bulletin is libjhead. A vulnerability found in libjhead can cause an out of bounds error and enable an attacker, using a specially crafted file, to execute arbitrary code in the context of an unprivileged process.

The vulnerability is marked High in severity. The bug in which this was found is A-28868315.

Elevation of privilege vulnerability in Mediaserver

Look who’s back! It’s the Mediaserver. This time there are four vulnerabilities (each marked High) that could enable a local malicious application to execute arbitrary code within the context of a privileged process and gain access to elevated capabilities not normally accessible to third-party applications. The related bugs are:

Denial of service vulnerability in Mediaserver

The Mediaserver gets hit yet again with a denial of service vulnerability. This particular vulnerability (of which there are four related bugs) can enable an attacker, using a specially crafted file, to cause a device to hang or even reboot. The related bugs are:

Denial of service vulnerability in system clock

Another denial of service vulnerability hits the system clock. Unlike the Mediaserver denial of service vulnerability, the system clock bug would only allow the malicious code to crash the device (not reboot). The related bug is A-29083635.

Moderate issues

Elevation of privilege vulnerability in framework APIs

There’s an elevation of privilege vulnerability (in the framework APIs) that could enable a malicious application to bypass data isolating protections (protections that isolate data from one application to another). This vulnerability is rated Moderate due to its ability to gain access to data outside of an application’s permission level. The related bug is A-28795098.

The bugs slow to a crawl

The August 2016 Android Security Bulletin was one of the shortest bulletins since the monthly Android security updates started—having only one Critical issue should be seen as a landmark for the platform. Nevertheless, there are still issues to be fixed and users should always remain vigilant about updating their devices.

If your Android includes an out of date security patch level, make sure to keep checking for updates…eventually that device will catch up.